As employers, pharmacy business owners process their employees’ data daily, and must consider whether their contracts of employment and policies should be amended to reflect the new GDPR requirements.
Previously, employers asked employees to consent to their data being processed for employment-related purposes and included wording to that effect in employment contracts. The GDPR stipulates that additional requirements must be satisfied to obtain valid consent for the processing of ordinary and sensitive personal data. In practice, business owners will be unable to rely on employee consent to justify day-to-day processing of employee data; consent provisions in existing contracts of employment will likely be invalid and contractual wording should be updated.
Pharmacy businesses process highly sensitive personal data in relation to their patients, so owners must ensure that their systems are robust and compliant and that employees understand their data handling obligations. Owners should create appropriate and detailed policies to offer employees guidance on handling third party data, alert staff to such policies, and ensure employees are aware that any breach could result in disciplinary action.
Under the GDPR, employees/former employees remain able to make data subject access requests (“DSARs”) to a business for data held in relation to them. However, employers will no longer be able to charge a nominal fee for responding to a DSAR and the timeframe for response will be reduced from 40 calendar days to one month.
It would be unwise to ignore the recent changes, as penalties are high.